U.S. Supreme Court Allows FBI To Hack Anyone In Any Jurisdiction, Congress Could Reject New Rule

News
By published

The U.S. Supreme Court approved a rule change that would significantly expand the FBI’s powers to hack targets from any U.S. jurisdiction, and perhaps anywhere in the world. The rule has been criticized by civil liberties groups as well as some companies.

“Modernizing” The Criminal Code

The U.S. Department of Justice has asked for this rule change since 2013 and has promoted it as a way to “modernize” the criminal code for the digital age. However, civil liberties organizations such as the ACLU and Access Now, as well as major tech companies like Google, have argued that this would allow the FBI to hack not just individual targets, but computer networks, too--as a way to get to a target.

They also said this new rule could violate the Fourth Amendment, which protects against unreasonable searches and seizures. However, if the majority of the Supreme Court approved this rule, it’s likely it would also reject any case that challenges its constitutionality in the future, at least until the Supreme Court’s makeup changes significantly.

Congress has the power to reject such rule changes, and it could do so by December 1 this year. Otherwise, after that date, the rule will go into effect.

Hacking Millions To Get A Single Target

Senator Ron Wyden, who has taken the privacy side on multiple issues in the past few years, thinks this change would lead to “treating victims like attackers.” He also believes that this is an issue that should be settled by Congress, not the courts:

"Under the proposed rules, the government would now be able to obtain a single warrant to access and search thousands or millions of computers at once; and the vast majority of the affected computers would belong to the victims, not the perpetrators, of a cybercrime," Senator Ron Wyden said in an official statement. "These are complex issues involving privacy, digital security and our Fourth Amendment rights, which require thoughtful debate and public vetting. Substantive policy changes like these are clearly a job for Congress, the American people and their elected representatives, not an obscure bureaucratic process," he added.

Senator Wyden vowed to introduce legislation to reverse this rule change.

Unintended Consequences Of Extraterritorial Hacking

The Department of Justice denied that this expands the FBI’s authority to hacking targets from other countries, but at the same time it said that targets could also be hacked when the location is unknown. The DoJ also presented the new rule change as a tool against targets who use anonymization software, which should also imply that the target’s location may very well be in another country, as that’s how anonymization tools usually work.

The FBI used to collaborate with other countries when trying to apprehend someone that murdered or took hostage a U.S. person. Such investigations by the FBI were almost never unilateral.

Ahmed Ghappour, a professor at the University of California Hastings Law School, believes that this type of extraterritorial hacking could also lead to “accidental” cyber wars, because it could violate another country’s sovereignty. The attacks could also invite lawsuits against the FBI in international courts, and the more often such attacks happen unilaterally, the more they could strain relationships with other countries.

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. 

Follow us on FacebookGoogle+, RSS, Twitter and YouTube.

TOPICS
Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
16 Comments Comment from the forums
  • Math Geek
    pretty easy read if you take the time to view the pdf file of the rules changes.

    rule 41(b)(6)(B)
    "in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts. "

    not sure what the definition of "protected computer" and "damaged" means in this context and this appears to be where folks have a problem with the change. does seem like the victim is hackable as well. so basically if someone "damages" a computer by infecting it with a virus, then anyone hit with the virus can be hacked and searched? not sure i like this idea much without more info on the definitions.

    seems like a stretch but if you read the code the rule refers to, getting a virus or malware seems to open you up to being searched under this rule.

    https://www.law.cornell.edu/uscode/text/18/1030

    "(5)
    (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
    (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
    (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss."

    the definition of "damaged" really seems to be important here and i don't see it defined at all so far.
    Reply
  • Darkk
    It's known that the feds would use middle in the man attacks to inject viruses / trojans on the target they are trying to break into. This is getting harder as time goes on when more and more websites are using SSL encryption. So they're looking for more broader ways to to reach that target.
    Reply
  • Math Geek
    not sure it's "ways" they need so much as more "reasons" to do it. :)

    it is getting very touchy and i'm willing to let a couple bad guys go to protect the mass majority if that's what it takes. i'm not sure how to take this one since it let's them hack victims as well as the bad guys. not sure what they hope to get from that one. could they infect folks with a virus/malware themselves and then use this rule to get warrants to search? kind of silly but it's not ruled out here.

    i can see why this is needed to hack folks who are hiding where they are at (ala tor network and vpn's) but not sure this has to include victims of attacks well.
    Reply
  • Shubus
    When this new rule goes into effect I just wonder how the rest of world will react knowing that the FBI will be monitoring them via NSA, too.
    Reply
  • Math Geek
    lol, they already know the nsa is monitoring them. even our allies know we spy on them and they spy on us as well. that's pretty much common knowledge.

    most of the point of the rule is to issue a search warrant to a non specific person. if someone is using tor or otherwise masking their ip address, then the fbi won't have a specific ip or person in mind to search. so they do need a way to search something without knowing exactly what will be at the other end. think of the child porn sting the did that is in the news. they did not know who was involved only that they traded on the tor site. so they had to see who was on the other end. getting a specific warrant was not able to be done in this case. without this rule some judges are already dropping cases against those caught in the sting and others are still pending review.

    this rule would have allowed them to get the needed warrant and legally figure out who the people were even if it led out of the US. this is not a bad thing since they are clearly bad guys. they could follow the breadcrumbs and see where they went.

    the objections are the other part that let's them follow to the victims and beyond as well. being a victim should not open you up the same as it does being the bad guy. i'm sure they could get some victims to hand over evidence on their own once identified without the need to search them all.
    Reply
  • Shubus
    My objection is to the global sweeping up of all information which is then used by bad actors in these 3 letter agencies for nefarious purposes.
    Reply
  • jasonelmore
    so the Department of justice can just arbitrarily go to the supreme court to change rules? Without going through other courts or congress first?

    That's messed up
    Reply
  • Shubus
    Hay, Obama does this all the time and the Supreme back him up. The process hasn't been the way we thought it was for quite some time now.
    Reply
  • oenomel
    Seems like this is an avenue for expansion for the big dogs (G, FB, AP) The first guy that can offer constant end to end encryption seems to be in line to make some cash!
    Reply
  • RedJaron
    There have been plenty of people able to offer true end-to-end encryption, they've hit a lot of gov't hurdles in doing so because the feds demand a back door into everything ( insert joke here, just kidding, please don't ).
    Reply